I have a mainstack that has one substack with sensitive information in it. The mainstack can open, but one cannot proceed to the substack without the correct password.
Even though it is encrypted, I would feel more comfortable if there was absolutely no way someone could open the substack through livecode.
I seem to remember something about using "stackfiles" I've been years away from this, sorry.

Anyone know if a separate password protected stack is more secure than a password protected subStack?

I doubt there's a difference. The only unique thing about a substack is that it's inside the same file on disk. But it acts the same either way.

If a user has access to the IDE there's no good way to prevent the stack from being accessed, though they can't view the scripts. However, you could store the binary stack as a custom property and only extract it when you need to. I've done this.

1. During development, save the stack to disk. Then set a custom property to url ("binfile:" & <path to file>). The binary file is now a custom property.
2. When you want to work with the stack, write the custom property to an obscure location and open it from there. I use tempName() to get a unique file name. The temporary file location is fairly obscure and on OS X is not easily accessed by users. Since your scripts are encrypted, users won't even know they should look.
3. When you're done with the stack, save it (to the temp file) and then put the binary file back into the custom property, and delete the temp file.

If you only want to read the stack and not save any changes, you can just open it directly from the custom property without saving to disk first: